Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

deleted data input file directory. Then, renamed and created a new data input directory. Ran Search but no results found

qtorque95
Explorer
‎12-17-2018 02:35 PM

in Splunk Enterprise version 7.2.1, Step 1. created a data input from "Files & Folders" | "New Local File & Directory" button. For example: D:\a4. Then, ran a search query from the D:\a4 contents and return results ok.
Then, realized I mis-spelled "a4" so, deleted the data input "a4" from http://localhost:8000/en-US/manager/search/data/inputs/monitor". Next, in Windows Explorer, renamed folder form "a4" to "b4" .
And repeated Step1 and pointed to D:\b4
However, after running search on the new data input directory, get no results. Checked C:\Program Files\Splunk\etc\apps\search\local\inputs.conf . And "D:\a4" is not listed. Please help me. Thanks.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

whrg
Motivator
‎12-19-2018 11:36 PM

Hello @qtorque95,

Check out How Splunk Enterprise handles log file rotation.

When you or a log rotation program moves a file then Splunk recognizes that it is the same file and does not index it again.

If you really want to index that file again, then I see two options:

Option 1: Add the following line to your inputs.conf:

crcSalt = <SOURCE>

Doing so ensures that each file has a unique CRC.

(You need to restart Splunk after making changes to configuration files.)

Option 2: You remove the indexed data. Do the following on the command line:

splunk clean eventdata -index <index_name>

This will delete the indexed data and reindex any inputs. You need to stop Splunk first before issuing this command.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

qtorque95
Explorer
‎12-20-2018 04:04 PM

Thank you @whrg, @prakash007 for your answers. What i did to solve it:
1. in Windows server, went to Control Panel --> Services.
2. Stop and start "Splunkd Service".

0 Karma
Reply
Solved! Jump to solution
Solution

whrg
Motivator
‎12-19-2018 11:36 PM

Hello @qtorque95,

Check out How Splunk Enterprise handles log file rotation.

When you or a log rotation program moves a file then Splunk recognizes that it is the same file and does not index it again.

If you really want to index that file again, then I see two options:

Option 1: Add the following line to your inputs.conf:

crcSalt = <SOURCE>

Doing so ensures that each file has a unique CRC.

(You need to restart Splunk after making changes to configuration files.)

Option 2: You remove the indexed data. Do the following on the command line:

splunk clean eventdata -index <index_name>

This will delete the indexed data and reindex any inputs. You need to stop Splunk first before issuing this command.

0 Karma
Reply
Solved! Jump to solution

prakash007
Builder
‎12-18-2018 11:19 AM

@qtorque95 : looks like you have Splunk-enterprise installed on your local...
1.try running this command to check the inputs status of the monitor path
$SPLUNK_HOME/bin/splunk list input status
2. if you see your monitor path from the list above, you can reset the file checkpoints(splunk might be thinking the above file as a duplicate)
https://docs.splunk.com/Documentation/Splunk/7.2.1/Troubleshooting/CommandlinetoolsforusewithSupport...
read this splunk doc on How Splunk calculates CRC..
https://docs.splunk.com/Documentation/Splunk/7.2.1/Data/Howlogfilerotationishandled
3. Stop Splunk, delete fishbucket($SPLUNK_HOME/var/lib/splunk/fishbucket), and start splunk(this will reindex all files, NOT a best solution on prod boxes)

0 Karma
Reply
Solved! Jump to solution

qtorque95
Explorer
‎12-19-2018 02:41 PM

thank you @prakash007 . 1. Using windows command prompt, typed, " cd C:\Program files\splunk\bin\ splunk.exe list input status ". Another dos screen opens for 2 or 3 seconds, but not able to see the contents. Even tried to send results as follows: at C:\Program Files\Splunk\bin typed (shown in quotes),
"splunk.exe list input status > inputstatus.txt " to see printed results. But got " Access Denied". I don't understand as I am logged in as Administrator.
3. Using Windows Control panel | Services, I stopped "Splunkd Service". But not sure the syntax to run the "delete" fishbucket using windows command or Windows PowerShell. ( I searched for this, but success). Thank you.

0 Karma
Reply
Solved! Jump to solution

ssadanala1
Contributor
‎12-19-2018 03:18 PM

Execute command below to reset fishbucket

.\splunk.exe cmd btprobe -d "C:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db" --file

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...